DOWNAD/Conficker Turns 1yr
- Wednesday, November 4, 2009, 2:05
- Threat Research
- 9 views
Worm Exploits MS08-067 BugDOWNAD, also known as the Conficker worm, was first seen in the wild taking advantage of the MS08-067 vulnerability. True to form, it propagated via shared networks. Like its predecesors—the Sasser and Nimda worms—it also raised security concerns with regard to a spike in port 445 activity.
A few days after its appearance, reports suggested that the threat had spread. More than 500,000 unique hosts spread across networks in the United States, China, India, the Middle East, Europe, and Latin America fell prey to the threat. Several residential broadband service providers also reported having an even larger number of infected customers.
New Year, New Variant
In January of this year, a few security websites and media outlets reported a wave of detections of another DOWNAD variant.
This variant first sent exploit packets for a Microsoft Server Service Vulnerability to every machine on the network and to several randomly selected targets over the Internet. It then dropped a copy of itself in the Recycler folder of all available removable and network drives and created an obfuscated autorun.inf file on these drives so it can execute every time a user browsed a network folder or removable drive without actually clicking on the file. It then enumerated the available servers on the network and, using this information, gathered a list of user accounts on the machines.
Afterward, it ran a dictionary attack against these accounts using a predefined password list. If it succeeds, it dropped
...Read the original story
